Simple Deployment with Azure Container App
This guide provides step-by-step instructions to publish Keeper Automator to the Azure Container App service. This provides a simple and straightforward way to host the Automator service in the cloud.
Open a command line interface and generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:
Save the resulting value produced by this command for Step (3).
If you do not already have a container registry, you must create one and configure as you see fit. Example below.
From Azure, create a new Container App.
Select or create a new Resource Group
Set the Container App Name to "keeperautomator" or whatever you prefer
Select "Container Image" as the Deployment Source
Select the region where you would like the service hosted
In the "Container" step, make the following selections:
Uncheck the "Use quickstart image"
Select "Docker Hub or other registries"
Select "Public"
Select Registry login server as
On the Ingress setup screen, select the following:
Enable Ingress
Ingress traffic Accepting traffic from anywhere (we'll modify this in a later step)
Ingress type HTTP
Click "Review + Create" and then click "Create"
After a few minutes, the container app will be created and automatically start up.
Clicking on "Go to Resource" will take you to the container environment.
To restrict communications to the Keeper Automator service, click on the "Ingress" link on the left side of the screen under the "Network" section
Click on "Ingress"
Select "Allow traffic from IPs configured below, deny all other traffic"
Click "Add" to add and any of your IPs required for testing the service. Ingress Requirements information:
Select Application > Scale and set min and max replicas to 1
Click "Save as a new revision"
Select Application > Volumes and click "+ Add"
Add a Ephemeral Storage and name it as you wish and click "Add"
Then click "Save as a new revision"
Navigate to the "Application > Revisions and Replicas" section"
Click on "Create new revision"
Click on Application > Revisions and replicas an observe a new revision being activated
Next, click on the "Container" tab
Click on the container image name link, in this case "keeperautomator" at the bottom
Navigate to Health Probes and enter the following under each section:
Under "Liveness probes":
Enable liveness probes
Transport: HTTP
Path: /health
Under "Startup probes":
Enable startup probes
Transport: HTTP
Path: /health
Under "Volume Mounts" tab:
Select "+ Add"
Select the volume you created in a previous step and Add Mount Path as /usr/mybin/config
Finish the configuration
Click on Save
Then click on Create to build the new configuration
After a few minutes, the new containers should start up
Wait until the revision is done activating.
From the Overview section of the Container App, on the right side is the "Application URL" that was assigned. Copy this and use this Application URL in the next step.
For example, https://craigautomator1.xyx-1234.azurecontainerapps.io
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell to open the session, then login using the login command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
Create the Automator using a series of commands, starting with automator create with your node name.
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This is the Application URL from Step 8.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team, team_for_user and device).
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
At this point, the configuration is complete.
For external health checks, you can use the below URL:
https://<server>/health
Example curl command:
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
Azure Container Apps have many advanced capabilities that are beyond the scope of this documentation. A few of the capabilities are provided below.
If you would like to have multiple containers running the Keeper Automator service:
Click on "Scale and replicas"
Click "Edit and deploy"
Click on the "Scale" tab
Select the min and max number of containers. The minimum should be at least 1.
The Keeper Automator logs can be viewed and monitored using the "Console" or "Log stream" section.
For example, to tail the log file of a running Automator service:
Click on Console
Select "/bin/sh"
Click Connect
At the prompt, type: tail -f logs/keeper-automator.log
Environment variables can be passed into the Container to turn on/off features of the runtime environment. The variables with their description can be found at the page.
Create a new Apps Environment or select an existing environment
Click Next : Container >
docker.ioSet the Image and tag as keeper/automator:latest
Skip to "Container resource allocation"
For CPU and Memory, 0.5 CPU cores and 1Gi memory is sufficient, but this can be updated based on your volume of new device logins.
Create an environment variable called AUTOMATOR_CONFIG_KEY with the value from Step 1 above of the setup guide.
Create an environment variable called AUTOMATOR_PORT with the value of 8089
Create an environment variable called SSL_MODE with the value of none
Click "Next : Ingress >"
Target port set to 8089
8089Initial delay seconds: 5
Period seconds: 30
8089Initial delay seconds: 5
Period seconds: 30
Click Create
After a minute, the new version will deploy
Run automator setup xxx multiple times (one for each container)
Run automator init xxx multiple times (one for each container)
openssl rand -base64 32[Byte[]]$key = New-Object Byte[] 32; [System.Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($key); [System.Convert]::ToBase64String($key)$ keeper shell
My Vault> login [email protected]
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
v16.x.xxx |_|
password manager & digital vault
Logging in to Keeper Commander
Enter password for [email protected]
Password: ********************
Successfully authenticated with Master Password
Syncing...
Decrypted [58] record(s)
My Vault>My Vault> automator create --name "My Automator" --node "Azure Cloud" Automator ID: 1477468749950
Name: My Automator
URL:
Enabled: No
Initialized: No
Skills: Device Approvalautomator edit --url https://<application URL> --skill=team --skill=team_for_user --skill=device "My Automator"automator setup "My Automator"automator init "My Automator"automator enable "My Automator"$ curl https://craigautomator1.xyz.azurecontainerapps.io/health
OK
